Privacy Policy

Account & Profile Information

• Name, email address, and profile photo (via Google OAuth sign-in or email registration)
• Work experience, education history, skills, and certifications
• Resume and cover letter content you upload or that we generate for you
• Job preferences, target roles, and location preferences

Job Data

• Job postings you analyze or interact with through the Service
• Job match scores, skill gap analyses, and application status
• Employer information extracted from job listings

Generated Documents

• Tailored resumes and cover letters generated by our AI
• Document quality scores and improvement suggestions

Usage & Analytics Data

• Pages visited, features used, and actions taken within the Service
• Device type, browser type, operating system, and screen resolution
• IP address, approximate geographic location (country/region level)
• Referral source and session duration

Payment Information

• Billing details are processed by Stripe. We do not store your full credit card number, CVC, or bank account details on our servers. We receive only a tokenized reference, card brand, last four digits, and expiration date from Stripe.

We use the information we collect to:

• Provide the Service — match you with relevant job postings, generate tailored resumes and cover letters, and track your applications
• Improve job matching — train and refine our machine learning models using anonymized and aggregated data to improve match accuracy for all users
• Communicate with you — send transactional emails, document-ready notifications, and product updates (you can opt out of non-essential communications)
• Ensure security — detect fraud, prevent abuse, and enforce our Terms of Service
• Analytics — understand usage patterns to improve features, fix bugs, and guide product decisions

We do not sell your personal information to third parties. We do not use your individual resume content to train AI models — only anonymized, aggregated patterns (e.g., which skills appear most frequently in successful applications) are used for model improvement.

The Aladdin Chrome Extension operates with scoped permissions and collects data only in the context of job-seeking activity:

• Job page analysis — when you visit a job listing on a supported job site (e.g., LinkedIn, Indeed, Greenhouse, Lever), the extension reads the page content to extract job title, company name, requirements, and description for analysis
• Active tab only — the extension only reads page content on job-related sites when you explicitly trigger an analysis or when our job detection heuristic identifies a job listing. It does not read content on non-job-related websites
• No browsing history — we do not track, store, or transmit your general browsing history. The extension does not monitor pages outside of recognized job platforms
• Local processing — initial job detection heuristics run locally in the browser. Only confirmed job listing data is transmitted to our servers for analysis
• Credential handling — during active automation sessions (when you use the autonomous application agent), the extension may transmit credentials over a secure WebSocket connection (WSS) to fill application forms on your behalf. Credentials are processed ephemerally and are not stored on our servers

If you choose to connect your Gmail account, the Service accesses your Gmail data through the Google Gmail API. This section describes exactly what data is accessed, how it is used, and the restrictions we follow.

What Gmail Data We Access

• Read access (gmail.readonly) — we search your inbox for specific application-related emails only: one-time passwords (OTPs) and verification codes from job application platforms, and application confirmation/status update emails from employers. We do not read, scan, or index your general email content.
• Send access (gmail.send) — if you use the networking outreach feature, we send emails on your behalf to professional contacts you specify. Every email is initiated by your explicit action and you review the content before sending.

How Gmail Data Is Used

• OTP codes are extracted and used to complete application forms during automation sessions, then immediately discarded
• Application status emails are parsed to update your application tracking dashboard
• Outreach emails are composed based on templates you customize and sent via your Gmail account

How Gmail Tokens Are Stored

• Gmail OAuth access tokens and refresh tokens are encrypted using AES-256-GCM before storage
• Encryption keys are managed separately from the database
• Tokens are only decrypted server-side at the moment of API access
• You can revoke Gmail access at any time from your account settings, which immediately deletes all stored tokens

Gmail data retention: OTP codes are discarded immediately after use. Application status data extracted from emails is stored as part of your application tracking history and is deleted when you delete the corresponding application or your account. Outreach email metadata (recipient, subject, timestamp) is retained for your outreach history; the full email body is not stored on our servers after sending.

We integrate with the following third-party services, each governed by their own privacy policies:

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• User data is stored in a PostgreSQL database hosted on AWS (US-East-2, Ohio) with automated backups and point-in-time recovery
• Frequently accessed data (e.g., session tokens, quota counters) is cached in Redis with password authentication and in-memory encryption
• Gmail OAuth tokens are encrypted with AES-256-GCM using a dedicated encryption key before database storage
• Authentication uses httpOnly, Secure, SameSite cookies to prevent XSS and CSRF attacks
• API keys and secrets are stored in environment variables and secret management services, never in source code
• We conduct regular security audits and employ multiple independent AI code reviewers to catch vulnerabilities before deployment
• Access to production systems is restricted to authorized personnel with multi-factor authentication

We use the following cookies:

Analytics cookies are only set when you explicitly consent via our cookie banner. We use Datadog RUM for analytics, which sets session tracking cookies only after consent. Essential cookies cannot be disabled as they are required for the Service to function. We do not use third-party advertising cookies or tracking pixels.

When you delete your account, we begin purging your personal data within 30 days. Some anonymized, aggregated data (e.g., skill frequency statistics) may be retained indefinitely as it cannot be linked back to you.

Your data is processed and stored on servers located in the United States (AWS US-East-2, Ohio). If you access the Service from outside the United States, your data will be transferred to and processed in the United States.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as our legal mechanism for international data transfers. These clauses provide appropriate safeguards for the protection of your personal data when it is transferred outside the EEA.

Our third-party service providers (Stripe, Datadog, Google Cloud) maintain their own data processing agreements and transfer mechanisms. You may request a copy of the applicable Standard Contractual Clauses by contacting us at privacy@aladdin-ai.net.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:

• Right of access — request a copy of the personal data we hold about you (available via Settings → Data Management → Export Data)
• Right to rectification — request correction of inaccurate or incomplete personal data (edit directly in your profile)
• Right to erasure — request deletion of your personal data (available via Settings → Data Management → Delete Account)
• Right to data portability — receive your personal data in a structured, commonly used, machine-readable format (JSON export)
• Right to restrict processing — request that we limit how we use your data
• Right to object — object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent — withdraw consent at any time where processing is based on consent (e.g., analytics cookies can be revoked via the cookie banner)

To exercise any of these rights, use the self-service tools in your account settings or contact us at privacy@aladdin-ai.net. We will respond within 30 days. If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.

Legal basis for processing: (a) performance of a contract (providing the Service), (b) legitimate interest (improving our Service, preventing fraud, and ensuring security), and (c) your consent (where explicitly obtained, such as for analytics cookies and Gmail access).

Data controller: Aladdin AI, contactable at privacy@aladdin-ai.net.

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you additional rights:

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you (available via Settings → Data Management → Export Data)
• Right to delete — request deletion of your personal information, subject to certain legal exceptions (available via Settings → Data Management → Delete Account)
• Right to correct — request correction of inaccurate personal information (edit directly in your profile)
• Right to opt-out of sale/sharing — we do not sell or share your personal information with third parties for cross-context behavioral advertising
• Right to non-discrimination — we will not discriminate against you for exercising your CCPA/CPRA rights

To submit a verifiable consumer request, use the self-service tools in your account settings or email privacy@aladdin-ai.net. We will verify your identity and respond within 45 days.

The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal data, we will delete that information promptly. If you believe a child under 16 has provided us with personal data, please contact us at privacy@aladdin-ai.net.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, by sending you an email notification or displaying a prominent notice within the Service. We encourage you to review this policy periodically to stay informed about how we protect your data.

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: